[Users] Notes on setting spice-proxy console option
Hi, I have struggled quite a bit to get it up and running. Over the time, I have accumulated some notes on various things I did so to share with everyone who is interested in doing this. This complements the online doc in a way that might give me a complete picture in one place. However I need some clarifications as I might have forgotten to document certain steps or certain steps I did turn out to be not necessary in the end. It will be great if experts here can help me get the things straight. My setup is like: Browser (firefox 24.2 on RHEL6) ------------ ovirt-engine (3.3.2) ------------ ovirt-node (3.0.3) No direct network connectivity from the browser machine to the node machine. These are the major things I installed for spice-proxy to work: * On ovirt-engine: yum install spice-gtk, virt-viewer, spice-xpi yum-install squid /etc/squid/squid.conf updates: acl localhost src <browser IP addr> #http_access deny CONNECT !SSL_ports http_access deny !Safe_ports http_port 3128 service squid restart make sure iptables allow 3128 engine-config -s SpiceProxyDefault= http://<ovirt-engine-IP>:3128 service ovirt-engine restart * On browser machine running firefox 24.2.0 on RHEL6 for running browser console plugin client yum install spice-xpi. make sure VM's console option is set to SPICE Are the above steps reasonable? any missing or redundant? Additional questions: 1. Will spice-proxy work with the Spice HTML5 client in the browser? 2. Is the spice-proxy architecture diagram like: browser --------- squid proxy - spice-proxy ---------------------- VM 3. I didn't explicitly install any certs for the squid proxy. Is it automatically taken care of? References: http://www.ovirt.org/Console_Client_Resources http://www.ovirt.org/Features/Spice_Proxy https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Virtua... Thanks. David
----- Original Message -----
From: "David Li" <david_li@sbcglobal.net> To: users@ovirt.org Cc: "david li" <david_li@sbcglobal.net> Sent: Tuesday, January 28, 2014 7:41:26 PM Subject: [Users] Notes on setting spice-proxy console option
Hi,
I have struggled quite a bit to get it up and running. Over the time, I have accumulated some notes on various things I did so to share with everyone who is interested in doing this. This complements the online doc in a way that might give me a complete picture in one place. However I need some clarifications as I might have forgotten to document certain steps or certain steps I did turn out to be not necessary in the end. It will be great if experts here can help me get the things straight.
My setup is like:
Browser (firefox 24.2 on RHEL6) ------------ ovirt-engine (3.3.2) ------------ ovirt-node (3.0.3)
No direct network connectivity from the browser machine to the node machine.
These are the major things I installed for spice-proxy to work:
* On ovirt-engine: yum install spice-gtk, virt-viewer, spice-xpi These components are client components (what you call Browser machine). yum-install squid /etc/squid/squid.conf updates: acl localhost src <browser IP addr> #http_access deny CONNECT !SSL_ports I would rather allow CONNECT to specific Spice ports only 5634-6166: acl Spice_ports port 5634-6166 http_access denny CONNECT !Spice_ports http_access deny !Safe_ports http_port 3128 service squid restart make sure iptables allow 3128
engine-config -s SpiceProxyDefault= http://<ovirt-engine-IP>:3128 service ovirt-engine restart * On browser machine running firefox 24.2.0 on RHEL6 for running browser console plugin client yum install spice-xpi. spice-xpi should bring its dependencies virt-viewer -> spice-gtk -> etc. but If you do not wish to use the plugin launch type, you may install only virt-viewer (without spice-xpi) and use what I guess is called "Native client" launch type. make sure VM's console option is set to SPICE Are the above steps reasonable? any missing or redundant? Seems fine, just no need the client packages on the engine.
Additional questions:
1. Will spice-proxy work with the Spice HTML5 client in the browser? Probably, but you would need to set the websocket proxy which is part of installation steps for engine as well (I believe). 2. Is the spice-proxy architecture diagram like: browser --------- squid proxy - spice-proxy ---------------------- VM Browser plugin spice-xpi invokes start of Spice client (virt-viewer) which makes CONNECT to Host machine (where the VM is hosted) through the HTTP proxy (in your case squid). Client machine ---> Squid ---> Host (where the VM is hosted). 3. I didn't explicitly install any certs for the squid proxy. Is it automatically taken care of? No, no authentication to Squid is supported with Spice now. So If It is publicly visible proxy It's important to set careful proxy rules.
References:
http://www.ovirt.org/Console_Client_Resources
http://www.ovirt.org/Features/Spice_Proxy
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Virtua...
Thanks.
David
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Hi Marian, Thanks a lot for the clarification! Another question: In my spice-xpi console window, I can't get out of it by SHIFT+F12. Should I use something else? David ----- Original Message -----
From: Marian Krcmarik <mkrcmari@redhat.com> To: David Li <david_li@sbcglobal.net> Cc: users@ovirt.org Sent: Tuesday, January 28, 2014 11:14 AM Subject: Re: [Users] Notes on setting spice-proxy console option
----- Original Message -----
From: "David Li" <david_li@sbcglobal.net> To: users@ovirt.org Cc: "david li" <david_li@sbcglobal.net> Sent: Tuesday, January 28, 2014 7:41:26 PM Subject: [Users] Notes on setting spice-proxy console option
Hi,
I have struggled quite a bit to get it up and running. Over the time, I have accumulated some notes on various things I did so to share with everyone who is interested in doing this. This complements the online doc in a way that might give me a complete picture in one place. However I need some clarifications as I might have forgotten to document certain steps or certain steps I did turn out to be not necessary in the end. It will be great if experts here can help me get the things straight.
My setup is like:
Browser (firefox 24.2 on RHEL6) ------------ ovirt-engine (3.3.2) ------------ ovirt-node (3.0.3)
No direct network connectivity from the browser machine to the node machine.
These are the major things I installed for spice-proxy to work:
* On ovirt-engine: yum install spice-gtk, virt-viewer, spice-xpi These components are client components (what you call Browser machine). yum-install squid /etc/squid/squid.conf updates: acl localhost src <browser IP addr> #http_access deny CONNECT !SSL_ports I would rather allow CONNECT to specific Spice ports only 5634-6166: acl Spice_ports port 5634-6166 http_access denny CONNECT !Spice_ports http_access deny !Safe_ports http_port 3128 service squid restart make sure iptables allow 3128
engine-config -s SpiceProxyDefault= http://<ovirt-engine-IP>:3128 service ovirt-engine restart * On browser machine running firefox 24.2.0 on RHEL6 for running browser console plugin client yum install spice-xpi. spice-xpi should bring its dependencies virt-viewer -> spice-gtk -> etc. but If you do not wish to use the plugin launch type, you may install only virt-viewer (without spice-xpi) and use what I guess is called "Native client" launch type. make sure VM's console option is set to SPICE Are the above steps reasonable? any missing or redundant? Seems fine, just no need the client packages on the engine.
Additional questions:
1. Will spice-proxy work with the Spice HTML5 client in the browser? Probably, but you would need to set the websocket proxy which is part of installation steps for engine as well (I believe). 2. Is the spice-proxy architecture diagram like: browser --------- squid proxy - spice-proxy ---------------------- VM Browser plugin spice-xpi invokes start of Spice client (virt-viewer) which makes CONNECT to Host machine (where the VM is hosted) through the HTTP proxy (in your case squid). Client machine ---> Squid ---> Host (where the VM is hosted). 3. I didn't explicitly install any certs for the squid proxy. Is it automatically taken care of? No, no authentication to Squid is supported with Spice now. So If It is publicly visible proxy It's important to set careful proxy rules.
References:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Virtua...
Thanks.
David
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
----- Original Message -----
From: "David Li" <david_li@sbcglobal.net> To: "Marian Krcmarik" <mkrcmari@redhat.com> Cc: users@ovirt.org Sent: Tuesday, January 28, 2014 10:37:18 PM Subject: Re: [Users] Notes on setting up spice-proxy console option
Hi Marian,
Thanks a lot for the clarification!
Another question: In my spice-xpi console window, I can't get out of it by SHIFT+F12. Should I use something else?
It should work, You mentioned you used RHEL/CentOS 6.5 as the client (what you call Browser) machine, In that case Can you edit /etc/spice/logger.ini file and change in the line "log4j.rootCategory=INFO, R" INFO to DEBUG? Restart Firefox, make connection to the VM and check ~/.spicec/spice-xpi.log file for line "DEBUG nsPluginInstance::SetHotKeys: release-cursor=shift+f12,toggle-fullscreen=shift+f11" (looking for value of "release-cursor"). If the value is not shift+f12, can you check value of "SpiceReleaseCursorKeys" on the engine with using ovirt-config tool? If the value is shift-f12, can you run on the VM, xev tool and check what keys It can see pressed when pressing shift-f12 combo?
David
----- Original Message -----
From: Marian Krcmarik <mkrcmari@redhat.com> To: David Li <david_li@sbcglobal.net> Cc: users@ovirt.org Sent: Tuesday, January 28, 2014 11:14 AM Subject: Re: [Users] Notes on setting spice-proxy console option
From: "David Li" <david_li@sbcglobal.net> To: users@ovirt.org Cc: "david li" <david_li@sbcglobal.net> Sent: Tuesday, January 28, 2014 7:41:26 PM Subject: [Users] Notes on setting spice-proxy console option
Hi,
I have struggled quite a bit to get it up and running. Over the time, I have accumulated some notes on various things I did so to share with everyone who is interested in doing this. This complements the online doc in a way that might give me a complete picture in one place. However I need some clarifications as I might have forgotten to document certain steps or certain steps I did turn out to be not necessary in the end. It will be great if experts here can help me get the things straight.
My setup is like:
Browser (firefox 24.2 on RHEL6) ------------ ovirt-engine (3.3.2) ------------ ovirt-node (3.0.3)
No direct network connectivity from the browser machine to the node machine.
These are the major things I installed for spice-proxy to work:
* On ovirt-engine: yum install spice-gtk, virt-viewer, spice-xpi These components are client components (what you call Browser machine). yum-install squid /etc/squid/squid.conf updates: acl localhost src <browser IP addr> #http_access deny CONNECT !SSL_ports I would rather allow CONNECT to specific Spice ports only 5634-6166: acl Spice_ports port 5634-6166 http_access denny CONNECT !Spice_ports http_access deny !Safe_ports http_port 3128 service squid restart make sure iptables allow 3128
engine-config -s SpiceProxyDefault= http://<ovirt-engine-IP>:3128 service ovirt-engine restart * On browser machine running firefox 24.2.0 on RHEL6 for running browser console plugin client yum install spice-xpi. spice-xpi should bring its dependencies virt-viewer -> spice-gtk -> etc. but If you do not wish to use the plugin launch type, you may install only virt-viewer (without spice-xpi) and use what I guess is called "Native client" launch type. make sure VM's console option is set to SPICE Are the above steps reasonable? any missing or redundant? Seems fine, just no need the client packages on the engine.
Additional questions:
1. Will spice-proxy work with the Spice HTML5 client in the browser? Probably, but you would need to set the websocket proxy which is part of installation steps for engine as well (I believe). 2. Is the spice-proxy architecture diagram like: browser --------- squid proxy - spice-proxy ---------------------- VM Browser plugin spice-xpi invokes start of Spice client (virt-viewer) which makes CONNECT to Host machine (where the VM is hosted) through the HTTP proxy (in your case squid). Client machine ---> Squid ---> Host (where the VM is hosted). 3. I didn't explicitly install any certs for the squid proxy. Is it automatically taken care of? No, no authentication to Squid is supported with Spice now. So If It is
----- Original Message ----- publicly visible proxy It's important to set careful proxy rules.
References:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Virtua...
Thanks.
David
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Hi Marian, Here is what I found and with more questions on this SHIFT+F12 issue: ----- Original Message -----
From: Marian Krcmarik <mkrcmari@redhat.com> To: David Li <david_li@sbcglobal.net> Cc: users@ovirt.org Sent: Wednesday, January 29, 2014 5:51 AM Subject: Re: [Users] Notes on setting up spice-proxy console option
It should work, You mentioned you used RHEL/CentOS 6.5 as the client (what you call Browser) machine, In that case Can you edit /etc/spice/logger.ini file and change in the line "log4j.rootCategory=INFO, R" INFO to DEBUG? Restart Firefox, make connection to the VM and check ~/.spicec/spice-xpi.log file for line "DEBUG nsPluginInstance::SetHotKeys: release-cursor=shift+f12,toggle-fullscreen=shift+f11" (looking for value of "release-cursor"). If the value is not shift+f12, can you check value of "SpiceReleaseCursorKeys" on the engine with using ovirt-config tool? If the value is shift-f12, can you run on the VM, xev tool and check what keys It can see pressed when pressing shift-f12 combo?
1. I changed the logger.init as you suggested, restrated firefox and launch the spice console. 2. I looked at the spice-xpi.log file but didn't find any trace of "release-cursor" 3. ON the engine machine, I have: SpiceReleaseCursorKeys: shift+f12 version: general 4. What's the xev tool on the VM you want me to run? I can't find such a command. Thanks.
----- Original Message -----
From: "David Li" <david_li@sbcglobal.net> To: "Marian Krcmarik" <mkrcmari@redhat.com> Cc: users@ovirt.org Sent: Thursday, January 30, 2014 11:44:40 PM Subject: Re: [Users] Notes on setting up spice-proxy console option
Hi Marian,
Here is what I found and with more questions on this SHIFT+F12 issue:
----- Original Message -----
From: Marian Krcmarik <mkrcmari@redhat.com> To: David Li <david_li@sbcglobal.net> Cc: users@ovirt.org Sent: Wednesday, January 29, 2014 5:51 AM Subject: Re: [Users] Notes on setting up spice-proxy console option
It should work, You mentioned you used RHEL/CentOS 6.5 as the client (what you call Browser) machine, In that case Can you edit /etc/spice/logger.ini file and change in the line "log4j.rootCategory=INFO, R" INFO to DEBUG? Restart Firefox, make connection to the VM and check ~/.spicec/spice-xpi.log file for line "DEBUG nsPluginInstance::SetHotKeys: release-cursor=shift+f12,toggle-fullscreen=shift+f11" (looking for value of "release-cursor"). If the value is not shift+f12, can you check value of "SpiceReleaseCursorKeys" on the engine with using ovirt-config tool? If the value is shift-f12, can you run on the VM, xev tool and check what keys It can see pressed when pressing shift-f12 combo?
1. I changed the logger.init as you suggested, restrated firefox and launch the spice console. 2. I looked at the spice-xpi.log file but didn't find any trace of "release-cursor"
One more way to check this is to change the "console invocation" in "console options dialog" to "Native client" and than try to connect. It will attempt to download a .vv file. If you will have it, you could open it and look for a line like like: release-cursor=shift+f12 If it contains it, you can try to connect from command line using this file like: remote-viewer path_to_console.vv If it does not, it is either misconfigured "SpiceReleaseCursorKeys" or an engine bug. Anyway, you can try to manually edit the console.vv file and add the "release-cursor=shift+f12" line and try to connect using the remote-viewer again if it works this way. This way we will at least find out if the problem is in engine or SPICE or configuration. Thanx, Tomas
3. ON the engine machine, I have: SpiceReleaseCursorKeys: shift+f12 version: general 4. What's the xev tool on the VM you want me to run? I can't find such a command.
Thanks.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On Jan 28, 2014, at 20:14 , Marian Krcmarik <mkrcmari@redhat.com> wrote:
----- Original Message -----
From: "David Li" <david_li@sbcglobal.net> To: users@ovirt.org Cc: "david li" <david_li@sbcglobal.net> Sent: Tuesday, January 28, 2014 7:41:26 PM Subject: [Users] Notes on setting spice-proxy console option
Hi,
I have struggled quite a bit to get it up and running. Over the time, I have accumulated some notes on various things I did so to share with everyone who is interested in doing this. This complements the online doc in a way that might give me a complete picture in one place. However I need some clarifications as I might have forgotten to document certain steps or certain steps I did turn out to be not necessary in the end. It will be great if experts here can help me get the things straight.
My setup is like:
Browser (firefox 24.2 on RHEL6) ------------ ovirt-engine (3.3.2) ------------ ovirt-node (3.0.3)
No direct network connectivity from the browser machine to the node machine.
These are the major things I installed for spice-proxy to work:
* On ovirt-engine: yum install spice-gtk, virt-viewer, spice-xpi These components are client components (what you call Browser machine). yum-install squid /etc/squid/squid.conf updates: acl localhost src <browser IP addr> #http_access deny CONNECT !SSL_ports I would rather allow CONNECT to specific Spice ports only 5634-6166: acl Spice_ports port 5634-6166 http_access denny CONNECT !Spice_ports http_access deny !Safe_ports http_port 3128
service squid restart make sure iptables allow 3128
engine-config -s SpiceProxyDefault= http://<ovirt-engine-IP>:3128 service ovirt-engine restart
* On browser machine running firefox 24.2.0 on RHEL6 for running browser console plugin client yum install spice-xpi. spice-xpi should bring its dependencies virt-viewer -> spice-gtk -> etc. but If you do not wish to use the plugin launch type, you may install only virt-viewer (without spice-xpi) and use what I guess is called "Native client" launch type. make sure VM's console option is set to SPICE
Are the above steps reasonable? any missing or redundant? Seems fine, just no need the client packages on the engine.
Additional questions:
1. Will spice-proxy work with the Spice HTML5 client in the browser? Probably, but you would need to set the websocket proxy which is part of installation steps for engine as well (I believe).
since it's a proxy as well I'd recommend to use it instead of squid, not in addition. By default it's installed on the engine host but it can be deployed anywhere else.
2. Is the spice-proxy architecture diagram like: browser --------- squid proxy - spice-proxy ---------------------- VM Browser plugin spice-xpi invokes start of Spice client (virt-viewer) which makes CONNECT to Host machine (where the VM is hosted) through the HTTP proxy (in your case squid). Client machine ---> Squid ---> Host (where the VM is hosted). 3. I didn't explicitly install any certs for the squid proxy. Is it automatically taken care of? No, no authentication to Squid is supported with Spice now. So If It is publicly visible proxy It's important to set careful proxy rules.
References:
http://www.ovirt.org/Console_Client_Resources
http://www.ovirt.org/Features/Spice_Proxy
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Virtua...
Thanks.
David
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
----- Original Message -----
From: Michal Skrivanek <michal.skrivanek@redhat.com> To: Marian Krcmarik <mkrcmari@redhat.com>; David Li <david_li@sbcglobal.net> Cc: users@ovirt.org Sent: Wednesday, January 29, 2014 6:00 AM Subject: Re: [Users] Notes on setting spice-proxy console option
1. Will spice-proxy work with the Spice HTML5 client in the browser?
Probably, but you would need to set the websocket proxy which is part of installation steps for engine as well (I believe).
since it's a proxy as well I'd recommend to use it instead of squid, not in addition. By default it's installed on the engine host but it can be deployed anywhere else.
I am interested in trying this. I tried before but didn't succeed. Is it enough to configure websocket proxy on the engine like this? WebSocketProxy: <engine-IP-addr>:6100 version: general WebSocketProxyTicketValiditySeconds: 120 version: general Any pointer to a good setup guide? David
On 29 Jan 2014, at 16:59, David Li <david_li@sbcglobal.net> wrote:
----- Original Message -----
From: Michal Skrivanek <michal.skrivanek@redhat.com> To: Marian Krcmarik <mkrcmari@redhat.com>; David Li <david_li@sbcglobal.net> Cc: users@ovirt.org Sent: Wednesday, January 29, 2014 6:00 AM Subject: Re: [Users] Notes on setting spice-proxy console option
1. Will spice-proxy work with the Spice HTML5 client in the browser?
Probably, but you would need to set the websocket proxy which is part of installation steps for engine as well (I believe).
since it's a proxy as well I'd recommend to use it instead of squid, not in addition. By default it's installed on the engine host but it can be deployed anywhere else.
I am interested in trying this. I tried before but didn't succeed. Is it enough to configure websocket proxy on the engine like this?
Well, this is the default deployment on engine. The engine host is the proxy. If that's what you need there is no additional configuration needed. Just say yes to websocket proxy during installation and import ca.crt to your browser Only if you want to run the proxy elsewhere you need to update the below parameters accordingly Thanks, michal
WebSocketProxy: <engine-IP-addr>:6100 version: general WebSocketProxyTicketValiditySeconds: 120 version: general
Any pointer to a good setup guide?
David
participants (4)
-
David Li -
Marian Krcmarik -
Michal Skrivanek -
Tomas Jelinek